Why do we need Information Management

    I am guessing most of the readers of this blog are in the University of Washington’s Masters of Science in Information Management (MSIM) program.  For those that aren’t, the MSIM program focuses on connecting Technology, People and Information.  I am sure you have heard the statistics about how much information is out there.  With the advancement of the internet, we have caused the amount of information in the world to explode.  All of this is well and good but the problem arises when you try to make sense of the information.  I was watching a TED talk recently that was basically an overview of what the MSIM program is without meaning to.  The talk is given by Thomas Goetz and it focuses on two things, first the use of fear to accomplish things and secondly the idea that more medical problems could be solved not by better medicine but by better information presentation. 

     As a security professional the  idea that fear wasn’t the best way to relay information was something that I hadn’t considered before.  If you have heard any sort of talk in regards to Computer Security you have heard that a hacker can steal you identity, your bank account and with a little effort your first-born.  Okay so I am exaggerating a little but every talk I have given or heard about Computer Security has been about the negative effects of not securing your network.  Then after giving presentations about how there is never a secure system they wonder why executives haven’t approved their expanded budgets.  I believe we, as security  professionals, are going about this all wrong.  Instead of focusing on how impossible security is, we need to start focusing on how we can make the network better overall with the enhancements that security brings.  In this realm I have found that UX people do a good job for the most part.  When they make a presentation about a new website design they don’t sit there and say how little traffic and how confusing the current User Interface (UI) is and then sit down. They quickly go over part of the problems the current UI and then go on to show how well their UI will work and what it can bring to the table.  Now this might just be an issue for Security professionals but I have a feeling it isn’t.  Overall, as professionals, we need to focus on the idea that has been thrown around this blog, and that is the Value Added principle.  Focus on what value you are going to add to the company and how much it will help in the short and long-term. 

     Now as a final statement, this doesn’t only apply to people working.  If you are looking for a job focus on what you can do for the company.  If you can get the other person even a little bit excited about what you could do for them or the potential you have to help their company you will stay in their mind.  And believe me the more good things you give the interviewer to remember you by the better. 

     Now I realize that this may not be new to most  of you but I found the talk incredibly interesting.  I have a link to it below in case anyone is interested.  What are you thoughts?  Is it better to go all positive?  Are there any drawbacks of only focusing on the Positive? Or is it better to talk about a combination of fear and potential?

Wikileaks and weak links

Photo of an unlocked gate padlockThis post is about Wikileaks, without being about Wikileaks. We know the most recent Wikileaks release was an overwhelmingly large set of data, generated by a fairly low-ranking intelligence analyst, and contains potentially sensitive information. The aspects of the Wikileaks scandal that fascinate me, however, are the human and organizational factors affecting data security.

Why did Bradley Manning do it? He must have known he would be subject to a long prison sentence (at best), and made no efforts to hide his actions. Assuming he was acting rationally, the benefits he imagined from doing so outweighed the prospect of certain punishment. Manning must have evaluated the volume and nature of the data at his disposal – data owned by his organization, effectively the U.S. government – and chose to place his individual motivations above those of the organization to which he belonged.

His own Wikipedia page and various media reports describe Manning’s “disillusionment,” and some opinion pieces paint him as “disgruntled.”

Disgruntled at the age of 23?

This fact points to the causes of the leak: it’s a people problem, more than an information problem. This includes security clearances, i.e., how many eyes need to see the information, but the solution is not about security clearances. Safeguarding organizational data such as that shared in the Wikileaks event is ultimately a management issue, for the following reasons:

A change in employee behavior is a crucial signal to management. It would surprise me if Manning’s behavior changed overnight from unassuming analyst to data thief. A good manager should look for changes in employee behavior that signal a shift in attitude. Furthermore, a manager should ensure he has enough information to act on if restricting or revisiting information flows becomes necessary, particularly in the event that an employee’s risk profile changes.

Digital natives exhibit different workplace values than their older counterparts. At 23, Manning is a digital native. Individuals under the age of 30 have grown up with technology in a world where a sense of possession is poorly defined in digital terms. Digital natives have a different notion of right and wrong in sharing information than previous generations of workers, even when information is proprietary to their organizations. Generation Y is also less loyal to organizations, and expects authority figures to earn their respect, rather than commanding it automatically. (I realize the Army is a very special kind of organization; however, the military cannot claim to be modernizing for warfare in the Information Age and expect to preserve outdated management philosophies, particularly when recruiting overwhelmingly from the digital natives demographic.)

Technology itself distracts from the human issues. Security specialists discuss access protocols and authentication procedures, but focusing on such issues is like staring at the end of someone’s finger when she points to a mountain in the distance. Internal data leaks are a real threat, but they are also perpetrated by people. The Information Age is changing the relationship between people and organizations. Adding to the urgency of the problem, today’s technological capabilities allow people to share and act on information as quickly as they think to do so. When “think it – do it” is the norm, it is important for an organization’s management to communicate expectations about information use and dissemination and to assess and monitor, in an honest way, the risks associated with information flows.

The landscape of information behavior is undergoing a major shift, and technology is merely an enabler of behavior. An individual’s ability to act impulsively, and with powerful tools that can execute enormously impactful actions digitally, should prompt organizations to manage closely the human aspects of internal security threats. It takes one weak link in an organization – unmonitored, disillusioned – to commit a destructive act with sensitive data. Although individuals should be empowered to make ethical, informed decisions when acting on behalf of their organizations, management culture must continue to adapt to the new Information Age, and its digital natives.

Photo by -Tripp-. Used in accordance with a Creative Commons 2.0 license.

Too many TLA’s

I had a teacher once say that IT is riddled with TLA’s (Three Letter Acronyms).  He thought it was hilarious.  It wasn’t until I started really looking into IT and security especially that I realized he was right.  In the realm of technology there are some acronyms that most people know HTTP, IP, and PC and so on, but when you add Security it turns into something you would expect in your alphabet soup.  PCI-DSS, SOX, FISMA, ISO, HIPAA, HITECH, UDP, TCP, CERT, IR, XSS, CSRF, PWN, IPSEC, SSCADA, and the list goes on.  I am sure that you could guess some of them but the first six are probably the most debated.  Payment Card Industry – Digital Security Standards (PCI-DSS), Sarbanes-Oxley (SOX), Federal Information Security Management Act (FISMA), International Organization for Standardization (ISO, don’t ask it doesn’t make sense to me either), Health Insurance Portability and Accountability Act (HIPAA), and the Health Information Technology for Economic and Clinical Health are some of the security standards that businesses have to worry about.

Aside from these are any internal audits that companies have to pass.  Many times all this adds up to one thing, confusion.  Take a company that handles their employee’s healthcare records as well as having a federal contract while being a publicly traded company.  This company has to deal with parts of HIPAA and HITECH as well as FISMA and SOX.  You would think that these standards would correlate and go hand in hand but they were all developed independently so they have different requirements.  This is where Security Professionals are the most challenged.  Whether they are securing their network or auditing a network using these standards, there is a challenge.

Most often what happens is that a company that is trying to meet the requirements of these standards does one of two things, they either do the bare minimum to meet the requirements right before the deadline or they essential put everything behind Security and do things that will make the company more secure from their point of view but do so at the cost of usability.  Now I have written about how usability and security need to go hand in hand so that isn’t the angle I want to take right now.

My main focus is that when companies think they have to choose between security and usability it creates not only a hard time for users but it creates a situation where users do things in order to  get  around the security measures, thereby creating security holes that weren’t accounted for.  Such examples of this are writing down passwords and usernames, saving usernames and passwords on the browsers, saving documents on a USB drive, and trusting links that may not be legit.  While this can be solved with good user training there is no need to put that burden on the users, especially when if a company is compromised because of the workarounds the company still ends up paying the fine which can amount to millions of dollars.

Basically my suggestion is for all companies to stop looking at security servers and networks and start securing Information.  That way it leads to looking at the data they are securing and not what is holding it.  This might force them to walk through what users are going to do once their applications and network is set up and working.  Hopefully this will allow them to start truly incorporating both usability and security into their business.

As a side note, if you are interested in the true cost of a security breach there is a research project that I was a part of a few years ago that was presented at a conference.  The video is kind of poor quality but the information is valid.  I didn’t present it but did work on the external costs, those aside from any possible fine that is part of a security breach. http://vimeo.com/5384048


Business vs IT

                After reading the last few posts by nickmalone and Jordan I started to think back about the companies that I have either observed or been employed by and I realized one thing.  There’s a large disconnect between the technical people and the business people.  Now I realize that some of you already know this but hear me out.  I think this causes more problems than many realize.  NickMalone’s post is a great example of what can happen when that gap isn’t addressed, and Jordan’s advice of value added statements is a great way to start fixing the problem.

                As many of you know, I have my Bachelors in Information Systems, which is more of a pure Information Technology degree as it had very few business classes.  I was very happy just learning about how to program and network computers.  The more I learned about networking specifically the more I thought I knew about succeeding in the business environment.  The last quarter of my Bachelor’s degree I took an Advanced Oracle Database class.  That class introduced me to a whole new thought process behind IT, that of IT is there to solve business problems.  Before that I hadn’t really but how IT related to business.  Now some of you may be saying, of course IT is there to solve business problems, what else would it be doing.  But I want you to think about any current or past IT project that you may be on.  What was the purpose?  There are always cut answers of improving user experience or improving the way the business functions but what really was the main goal behind the project.  What was it going to do to help that particular company succeed? 

                That is what I believe is the main point/goal  behind Nick and Jordan’s last posts and what I believe is the fundamental problem in IT departments.  To many IT professionals can make computers do amazing things but they have forgotten that IT is there to help businesses succeed, not the other way around.  I am sure there are cases where it is different but even for companies that specialize in IT consulting or Software design, every IT system should have a purpose and should be directly correlated to a business function.  Once that business goal or function is made aware and focused on I believe that IT projects will be smoother and stop having the Business needs vs. Personal needs issues that NickMalone talked about.

                Now I don’t mean to sound like this is all a problem with bottom-level IT people.  When was the last time you heard about an Executive of a company want to implement some new technology that they read or heard about?  Maybe they heard about want to implement a type of Social Network on their intranet and tell their direct reports to start making a business case for it.  Here again is another face of the same problem.  You shouldn’t make business cases for technology.  You should make “Technology Cases” for business problems.  It might be a slight adjustment but think about how many times technology gets implemented without proper planning so it fails.  If executives, managers and underlings alike were to start the planning and implementation phases of every project linking everything back to specific business problems, businesses would spend less and be more productive overall.

                Now I realize that I don’t have the years of experience of others who are reading this blog so I ask for your thoughts.  When was the last time you started a project that failed?  Did you know the main purpose behind the project?  Was that purpose if you did know it?  Have you seen a difference between projects that directly relate back to business goals and ones that are unclear of business goals?  Now this doesn’t address fully the change management side of things but I but I believe that if employees truly understood how these specific technology implementations helped not only them but the business as a whole you would have less push back, and believe me, being in Security, I know about users pushing back on new technology implementations, but that is a whole different post.

I turned my back on social media

Facebook profile deleted. Twitter account deleted. LinkedIn has been spared for professional use.

I cannot deny that Twitter in particular has been a powerful tool. Every day the best minds in the UX/IA, Content Strategy, and Educational Technology fields shared their knowledge and invaluable learning resources. Following individuals from the iSchool at UW, I could learn about their varied interests: clean water initiatives, open government, social media trends.

Recently, a fellow Twit informed me that I had a too-long account handle: retweeting and crediting my thoughts or links took up a lot of space. This individual did not bother to follow me, either, as I was not adding much value with my tweets (and I am more or less obsessed with adding value).

Given those facts, I reconsidered my social media use. And once I began thinking, I concluded its use had also changed my information consumption in negative ways:

Sharing took precedence over creating. My Tweetstream or Facebook news feed always had some new tidbit or opinion on a current issue. I consumed these nuggets insatiably, rather than synthesizing a worldview. I became an increasingly lazy thinker.

These tools encourage reacting, not relating. Online posting feels safe, conducted from one’s home office, even when it is not anonymous. Discussions are unmoderated, have a low barrier to entry, and text conveys tone poorly. It is too easy to respond to a link with another link. I worried how that could be affecting my real-world discourse.

People online are so…human. Follow anyone for 24 hours a day on Twitter and he is bound to sound like a jerk at some point. I was surprised how many public figures throw Twitter tantrums (Twantrums?) about frustrations with air travel delays. I can now “follow” these figures through RSS feeds of their very smart blogs instead.

Privacy meant opting out. I was tired of reading about – then reviewing and managing – the privacy settings on the newest Facebook feature. Twitter was less worrisome, though it offers binary account settings: public or private are the two choices. Frankly, there is very little legal protection for the average person regarding the use of information shared online, though developments in Germany may point to legislative changes in the future.

Since this is a blog about managing information, I felt compelled to examine my failure to integrate social media into a personal information management strategy. At least for a time, I have to take a break from social media, which I perceived to negatively influence my information consumption. The costs of using Twitter or Facebook for personal reasons outweigh the benefits to me right now. It is back to Google Reader I go.

I would be grateful for others’ opinions about the uses of social media (in a personal capacity) in the comments.

Security Vs. Usability ?

In the security blogs and conversations I have watched most security people are constantly fighting usability or trying to get people to focus on security rather than usability.  I believe this is idea is holding back security from progressing farther and faster than it could.  This is also stopping some very impressive security controls from being developed and in many cases may stop companies from implementing the necessary security controls.

I was speaking with someone who had recently presented at a security conference.  He told me that there were multiple presentations where the first 5 slides were purely theory and 90% text. In that atmosphere you are going to lose a vast majority of your audience, even if they were originally interested in the project.  In contrast, tonight I was at a Masters Thesis presentation.  These presentations were about things ranging from User Experience, Supply Chain Management, Security and other Information Management topics.  Having previously heard presentations about all of these projects I was amazed at how each project brought it down to the user level and why it was important.  After thinking about it, I realized that is what is missing from Security and Usability.  People spend all their time trying to do more with security or usability at the expense of the other.  I believe that if Security people spent more time thinking about how to make security usable as well as secure companies would buy into security faster than they do now.

While I believe that much of the problem does lie with the security professionals, I also believe that this problem could be made easier if more User Design/User Experience people could help with this problem by actively incorporated security people while designing things.  If security and design work together more you would have better applications/networks and less applications like one I have to use that requires a 21 character password with at least 2 uppercase characters and 2 numbers and 2 non-alphanumeric characters.

As I am not a full-time security person and I don’t pretend to be a User Design/UX person I early await your thoughts.  Do you think that applications, or other computer related things can be made secure and usable or is it a hopeless cause?

Information Security Improving with time?

   I ran across two interesting articles today on a website called bankinfosecurity.com.  One was an Interactive Timeline to Breaches at US Financial Institutions so far this year.  When I came across this article I wondered how it compared to a similar timeline for 2009.    The biggest breach in 2009 for a financial institution was the Heartland Payment breach in January of last year where 130 million records were lost, while the  biggest number of records lost so far this year, is 1.2 million.  If you take out the top two breaches, then it was interesting to see that January and February had about the same number of breaches but it looks like in terms of number of records lost 2010 wins.

    This brings to mind a couple of questions.  First, with security becoming more recognized why are breaches happening at the same rate?  This could be for multiple reasons, the first of which being that the hackers are getting more advanced.  While I don’t doubt this I believe the answer is much simpler.  If you talk to any security professional they will say the biggest threat to any company is people or Social Engineering.  You can have the most advanced security controls in but if people write their password on sticky notes and put them on their desk or computer then no security controls will ever help. 

     Now I am not saying people are the downfall of security and you should never trust your employees, but it is something that needs to be considered in any business.  Businesses need to educate people on not only basic security practices but why these practices are important.  Train people not only how to create a secure password but how to recognize someone trying to talk their way into a business.  Social Engineering causes more problems for companies then someone hacking their way into a companies secure servers because it is easier.  With just a phone call you can try to get someone to reset a password on an account and therefore give you access into a system.  If you want to learn more about social engineering Kevin Mitnick has a great book out called The Art of Deception: Controlling the Human Element of Security.  

   Now I am not the most experienced security person so any thoughts or suggestions are appreciated.  What do you guys think?  If you are in the security field, how do you combat this problem and if you aren’t in security how do you think about being trained on basic security practices by your company at regular intervals?  Do you think it helps? Why or why not?